1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
관련 콘텐츠
- AWS 공식업데이트됨 2년 전
- AWS 공식업데이트됨 일 년 전
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.